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AMENDMENTS TO THE CLAIMS: 

This listing of claims will replace all prior versions, and listings, of 
claims in the application: 

LISTING OF CLAIMS: 

1. (Currently Amended) A method of providing a Certificate Status 
Service ("CSS") for checking validities of authentication certificates issued by 
respective issuing Certification Authorities ("CAs"), comprising the steps of: 

receiving one or more certificate status queries from requesting 
entities: 

if the issuing CAs are not found on a CSS's list of approved CAs or the 
certificates have expired, retuming Invalid statuses for those certificates: 

If the current statuses are found in the CSS's status cache, returning 
those certificates' statuses: 

If any status has not vet been determined. I dentify i ng fetching all 
certificate status reporting methods and communications information from a 
configuration store of the CSS that are needed for retrieving a status of each 
an auth e ntication certificate whose status has not vet been determined from 
[[an]] the respective Issuing CAs CA that issu e d th e auth e nt i cat i on c e rt i ficat e; 

configuring [[a]] conn e ctor connectors based on the Identified 
Information for communicating with the issuing [[CA]] CAs; 
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communicating with the issuing [[CA]] CAs according to the configured 
conn e ctor wh e n th e status of the authent i cat i on c e rt i ficat e i s quor i od; and 

connectors: 

retrieving the status of [[the]] all queried authentication cortificato 
certificates : 

processing the certificate statuses according to an appropriate 
certificate status reporting method that may include, but is not limited to. 
Certificate Revocation Lists (CRLs) that are retrieved at specified publication 

intervals. Delta Certificate Revocation Lists (ACRLs) that are retrieved upon 

notification, LDAP. OCSP. and any other certificate status means that are 
queried and retrieved using real-time protocols: 

recording retrieved certificate statuses in the CSS's cache memory: 
returning the retrieved certificate statuses to the reguesting entities: 
wherein the issuing [[CA]] CAs and [[the]] connector parameters are 
designated on a list of approved CAs in [[a]] the configuration store that 
enable the CSS to interwork with any CAs and CA domains even though they 
can operate using dissimilar certificate practices and policies . 

2. (Currently Amended) The method of claim 1 , wherein a 
certificate is deemed to have expired if a local date and time aro chockod for 
wh e th e r th e y fall w i thin a outside a validity period as indicated in the 
auth e nticat i on certificate and an invalid status is report e d i f th e local date and 
tim e fal l outsid e th e va l id i ty p e r i od . 
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3. (Currently Amended) The method of claim [[1]] 2, wherein the 
issuing CA is includ e d in th e added to at least one organization's list of 
approved CAs by vetting and approving the issuing CA according to 
predetermined business rules, wherein the business rules include at least one 
rule for reviewing the acceptabilitv of the CA's certificate policv and practices 
for insuring the identitv of the entitv reguesting the certificate, and if the 
issuing CA is vetted and not approved or later disapproved, the issuing CA is 
d e signated on a added to the organization's list of not-approved CAs in the 
configuration store and/or has any prior entry removed from the organization's 
list of approved CAs . 

4. (Currently Amended) The method of claim 3, wherein vetting 
and approving the issuing CA i nc l ud e s include registering a representation of 
a ,th e CA's t rusted authentication certificate of the CA with the CSS and 
adding at least th e r e pr e s e ntat i on, at least a status reporting component of 
the CA. the certificate status reporting method including, but not limited to. 
CRL. OCSP. LDAP. a«€l a time-to-live data element , and communication 
information needed to configure a connector to the CSS's configuration store- 
to a local cach e memory, and a conn e ctor is configured for r e tri e ving th e 
add e d status wh e n th e status of th e trust e d auth e nticat i on c e rt i ficat e i s 
qu e ri e d. 

5. (Currently Amended) The method of claim [[2]] 4, further 
comprising the steps of; 
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checking and updating a local cache memory for the certificate status, 
and if the status is found in the local cache memory ffandl l. checking that the 
local date and time are within the certificate's validity period , r e tri e v i ng th e 
statue from th e l oca l cacho memory, or if and that the time-to-live data 
element [[or]] and use-counter values are within a threshold; 

if anv of the validity period, time-to-live data element, or use-counter 
values are unacceptable, is e xc ee d e d clearing the local cache memory-efrtfy, 
wherein if the status is not found in the local cache memory, the CSS 
establishes a communication session with [[a]] the certificate status reporting 
component of the issuing CA, composes a certificate status request using one 
of the CRL or real-time reporting methods according to the configured 
connector, retrieves the status from the certificate status reporting component, 
closes the communication session with the certificate status reporting 
component, and adds at least one of the auth e nticat i on certificate's 
identification, status, use-counter^ and time-to-live data element to the local 
cache memory. 

6. (Currently Amended) The method of claim 1 , wherein the 
certificate status reporting method is indicated [[by]] to be a CRL C e rt i ficat e 
Revocat i on L i st (CRL) , according to a publication schedule of the issuing CA, 
wherein the CSS retrieves the CRL from a certificate status reporting 
component listed in the configuration store, the CSS clears [[a]] the cache 
memory associated with the issuing CA, and the CSS d e torminoG extracts the 
status of [[the]] all authentication c e rtificate certificates from the CRL and 
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stores the status statuses in the cache memory associated with the issuing 
CA. 

7. (Currently Amended) The method of claim 1 , wherein the 
certificate status reporting method is indicated [[by]] to be a ACRL D el ta 

C e rtificat e R e vocation List ("ACRL"): . wherein upon notification by the issuing 

CA that [[a]] the ACRL is available, the CSS retrieves the ACRL from a 

certificate status reporting component listed in the configuration store[[;]] and 

if the ACRL is a comp le t e full CRL, then the CSS clears [[a]] the cache 

memory associated with the issuing CA, d e t e rm i n e s the status extracts all 
certificate statuses from the CRL, and stores the status statuses in the cache 

memory[[;]]^ and if the ACRL contains er% changes occurring after publication 

of a full CRL, the CSS d e termin e s th e status extracts all certificate statuses 

from the ACRL, and stores the s tatus statuses in the cache memory. 

8. (Currently Amended) The method of claim 1 , wherein the 
communicating step includes communicating according to a s e quenc e 
plurality of connectors to multiple CAs and PKIs . 

9. (Currently Amended) The method of claim 1 , wherein [[a]] the 
connector e mb e ds allows more than one certificate status ch e ck request to be 
chained together in a single communicating step. 
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1 0. (Currently Amended) The method of claim 1 , wherein the 
auth e nt i cat i on c e rtificat e certificates are [[is]] held in the configuration store 
until expiration and information are extracted as needed not us e d for 
i d e nt i ficat i on . 

1 1 . (Currently Amended) [[A]] The method of claim 1 . wherein the 
retrieving [[a]] of the status of an auth e ntication the certificate issued by [[an]] 
the issu i ng approved CA C e rtificat i on Authority ("CA") in response to a query 
from a trusted third-party repository of information objects to the CSS [[a]] 
C e rt i ficat e Status Sorv i co ("CSS") to validate the authentication certificate's 
status , compr i s i ng comprises the steps of: 

locating and reporting the status If the status is present and current in 
[[a]] the cache memory of the CSS; 

oth e nA/ i s e if the status is not present in the cache memory, performing 
the steps of: 

obtaining [[a]] the communications information, status type^ and 
retrieval method from [[a]] the CSS configuration store; 

if the status type is CRL C e rt i f i cate R e vocat i on L i st ("CRL") and 
the CRL in the cache memorv is current, and tho l ast rotrioved CRL i s curr e nt. 
[[but]] the status is not found in the cache memory, then reporting the status 
as valid; 

if the CRL is not current or found in the cache memorv tf4he 
status tvpo is not CRL and local time is greater than a next scheduled 
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publication time for the CRL or the status type is not CRL . creating a 
connector and f fthen]] composing a certificate status request according to the 
status type; 

establishing a communication session with th e i ssuing CA a status 
reporting component of the issuing CA : 

retrieving the status from [[a]] the CA's status reporting component ef 
the i ssu i ng CA using the obtained retrieval method and ending the 
communication session; 

interpreting the retrieved status; 

associating, with the interpreted retrieved status, a time-to-live value 
representing a period specified by [[a]] the respective CSS policy for the 
status type; 

adding at least one of t he auth e nt i cat i on certificate's identification, 
status[[,]] and time-to-live values to the cache memory; and 

reporting the status to the trusted third-party repository of information 
objects i n r e spons e to the qu e ry . 

12. (Cancelled) 

13. (Cancelled) 



14. (Cancelled) 
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15. (Currently Amended) f[A]] The Cort i f i oat e Status Sorvio e 
[[("CSS")]] method of claim 1 for providing acourato and t i me l y certificate 
status ind i cations of reports for authentication certificates issued by the 
approved CAs issuing C e rtification Author i ti e s ("CAs") , further comprising: 

providing a reporting valid certificate status when the status type is 
CRL. the CRL is current, status of an auth e nt i cation c e rt i ficat e as and the 
status is not found in the cache memory; i nd i cat e d by a Cort i ficato R e vocation 
List ("CRL") wh e n th e c e rt i ficat e 's issuing CA us e s CRLs for indicat i ng status; 

oth e rwis e , prov i d i ng th e reporting the status when status is found in the 
ind i cat e d by a cache memory wh e n th e cache m e mory i nc l ud e s a status and 
a and the time-to-live and use-counter data ele m e nt values have [[is]] not 
exceeded respective thresholds : 

if either the time-to-live or use-counter data e le m e nt values have 
exceeded the threshold i s oxcoodod, clearing the status from the cache 
memory; 

if the certificate status has not been reported in a previous step, then 
requesting and retrieving the status using the status type indicated in the 
configuration store: 

when the status type is CRL. retrieving and parsing the new CRL at a 
next indicated publication time: 

when the status type is at least one of the type LDAP. OSCP. and any 
other [[a]] real-time certificate status reporting protocol , retrieving and parsing 
wh e n the status; i s not i n th e cach e m e mory; 
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adding at least one of the certificate's identification, status, [[and]] time- 
to-live and use-counter data element values to the cache memory; and 
providing reporting the retrieved statu s to the requesting entity . 

16. (Currently Amended) The CSS of claim 15. wherein a status 
use-counter data element is added to the cache memorv . wherein [r:n the 
status use-counter data element is incremented or decremented every time 
the certificate's status is checked J[;]] and if the status use-counter data 
element passes a threshold, then the status is prov i d e d reported and the 
cache memory is cleared with respect to the status. 

17. (Currently Amended) The CSS of claim 16, wherein a status 
last-accessed data element is added to the cache memory, and the status 
last-accessed data element in conjunction with the status use-counter data 
element enable the CSS to determine an det e rm i nat i on of an activity level of 
the certificate's status. 

18. (Currently Amended) The CSS of claim 17, wherein when a 
request is made to the CSS to retrieve a status of a new certificate and the 
cache memory has reached an allocated buff e r memory size limit, the CSS 
searches the cache memory for [[a]] every certificate status entry where the 
current time exceeds the time-to-live data ele m e nt value, for every certificate 
status entry where the value of the use-counter data element exceeds the 
threshold and the value of the at least one certificate status entry with the 
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oldest e xc ee ds the curr e nt l ocal t i m e or a last-accessed value, wherein data 
e le mont i ndicat i ng an o l d e st dat e and the CSS then clears the respective 
cache memory e ntry; entries, and th e CSS then retrieves the requested 
certificate status, places [[it]] the certificate status in the cache memory, and 
prov i doG reports the requested certificate status to the requesting entitv . 

19. (Withdrawn) A method of executing a transaction between a 
first party and a second party by transferring control of an authenticated 
information object having a verifiable evidence trail, comprising the steps of: 

retrieving an authenticated information object from a trusted third-party 
repository of information objects, wherein the authenticated information object 
includes a first digital signature block comprising a digital signature of a 
submitting party and a first authentication certificate relating at least an 
identity and a cryptographic key to the submitting party, a date and time 
indicator, and a second digital signature block comprising a second digital 
signature of the trusted third-party repository of information objects and a 
second authentication certificate relating at least an identity and a 
cryptographic key to the trusted third-party repository of information objects; 
the first digital signature block was validated by the trusted third-party 
repository of information objects; and the authenticated information object is 
stored as an authoritative copy information object under the control of the 
trusted thirdrparty repository of information objects; 

executing the retrieved authenticated information object by the second 
party by including in the retrieved authenticated information object a third 
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digital signature block comprising at least a third digital signature and a third 
authentication certificate of the second party; and 

forwarding the executed retrieved authenticated information object to a 
trusted third-party repository of information objects, wherein the trusted third- 
party repository of information objects verifies digital signatures and validates 
authentication certificates associated with the digital signatures included in 
information objects by at least retrieving status of the authentication 
certificates from a Certificate Status Service ("CSS") provided according to 
claim 1; the trusted third-party repository of information objects rejects a digital 
signature block if the respective digital signature is not verified or the status of 
the respective authentication certificate is expired or is revoked; and if at least 
one signature block in the information object is not rejected, the trusted third- 
party repository of information objects appends the trusted third-party 
repository's digital signature block and a date and time indicator to the 
information object and takes control of the object on behalf of the first party. 

20. (Withdrawn) The method of claim 19, wherein a signature block 
includes at least one hash of at least a portion of the information object in 
which the signature block is included, the at least one hash is encrypted by 
the cryptographic key of the block's respective signer, thereby forming the 
signer's digital signature, and the signer's digital signature is included in the 
signature block with the signer's authentication certificate. 
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21 . (Withdrawn) The method of claim 20, wherein the executing 
step includes displaying a local date and time to the second party, affirming, 
by the second party, that the displayed local date and time are correct, and 
correcting the local date and time if either is incorrect. 

22. (Withdrawn) The method of claim 19, wherein if the trusted 
third-party repository of information objects rejects a digital signature block, 
the trusted third-party repository of information objects requests a remedy that 
requires the digital signature to be recomputed and the signature block to be 
reforwarded. 

23. (Withdrawn) The method of claim 19, wherein the trusted third- 
party repository of information objects checks the local date and time for 
accuracy and that they are within a validity period indicated by the second 
party's authentication certificate. 

24. (Withdrawn) The method of claim 23, wherein if the local date 
and time are not within the validity period indicated by the second party's 
authentication certificate, the trusted third-party repository of information 
objects notifies the second party that the authentication certificate is rejected 
and the first party that the transaction is incomplete. 

25. (Withdrawn) The method of claim 19, wherein one or more 
digitized handwritten signatures are included in the information object, and 
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placement of the digitized handwritten signatures in a data structure is 
specified by at least one signature tag. 

26. (Withdrawn) The method of claim 19, wherein placement of one 
or more signature blocks in a data structure is specified by at least one 
signature tag. 

27. (Withdrawn) The method of claim 26, wherein one or more 
signature blocks are separately forwarded to the trusted third-party repository 
of information objects with respective signature tags, and the trusted third- 
party repository of information objects validates the signature blocks by: 

rejecting a signature block if either the respective digital signature is not 
verified or the respective authentication certificate is not validated, and 

placing the signature block according to the respective signature tag if 
the signature block is not rejected, 

wherein, to signature blocks sent separately, the trusted third-party 
repository of information objects adds a date and time indication to each 
signature block and appends according to business rules the trusted third- 
party repository's signature block in a wrapper that encompasses the 
information object and placed signature blocks. 

28. (Withdrawn) The method of claim 27. wherein the trusted third- 
party repository of information objects verifies a digital signature and validates 
an authentication certificate in a signature block by: 



- 14- 



Attorney's Docket No. 1003670-000104.001 
Application No. 10/620,817 
Page 15 

determining from the business rules whether a party associated with 
the authentication certificate has authority, 
verifying the party's digital signature, 

checking that the authentication certificate's validity period overlaps the 
trusted third-party repository's current date and time, 

checking that the local date and time falls within an allowable deviation 
from the trusted third-party repository 's current date and time, and 

retrieving status of the authentication certificate from the CSS, and 

if any of the preceding steps results in an invalid or false output, the 
digital signature is deemed invalid, the transaction is not executed, othenwise 
the digital signature is deemed valid and the transaction is executed. 

29. (Withdrawn) The method of claim 19, wherein the CSS provides 
authentication certificate status to the trusted third-party repository of 
information objects by at least the steps of checking a local cache memory for 
the status, and if the status is found in the local cache memory and the local 
date and time are within the validity period, and retrieving the status from the 
local cache memory; or if the time-to-live or use-counter threshold is 
exceeded clearing the cache memory entry, wherein if the status is not found 
in the local cache memory, the CSS establishes a communication session 
with a certificate status reporting component of the issuing CA, composes a 
certificate status request, retrieves the status from the certificate status 
reporting component, closes the communication session with certificate status 
reporting component, and adds at least the authentication certificate's 
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identification, status, and a time-to-live data element to the local cache 
memory. 

30. (Withdrawn) The method of claim 19, wherein the first party is a 
first trusted third-party repository of information objects and the transaction is 
for transferring custody of one or more authoritative copies to the first trusted 
third-party repository of information objects from a second trusted third-party 
repository of information objects, an owner of the transaction provides the 
second trusted third-party repository of information objects with a manifest 
that identifies authoritative copies to be transferred to the first trusted third- 
party repository of information objects, the second trusted third-party 
repository of information objects establishes communication with the first 
trusted third-party repository of information objects and identifies the purpose 
of its actions, the manifest is communicated to the first trusted third-party 
repository of information objects so that it is able to determine when the 
transfer of custody has been completed, the second trusted third-party 
repository of information objects transfers each identified authoritative copies 
to the first trusted third-party repository of information objects, the first trusted 
third-party repository of information objects retrieves status of the second 
trusted third-party repository's certificate and verifies the second trusted third- 
party repository's digital signature on each transferred authoritative copies, if 
any of the second trusted third-party repository's digital signatures or 
certificates are invalid, then the first trusted third-party repository of 
information objects notifies the second rusted third-party repository of 
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information objects and seeks a remedy, if the second trusted third-party 
repository of information objects does not provide a remedy, the first trusted 
third-party repository of information objects notifies the transaction owner that 
the requested transfer of custody has failed, othenA/ise the second trusted 
third-party repository of information objects creates a new wrapper for each 
successfully transferred information object, adding a date-time stamp and the 
first trusted third-party repository's signature block. 

31. (Withdrawn) The method of claim 30, wherein the transaction is 
a transfer of ownership in response to an instruction, transfer of ownership 
documentation is placed in either the first trusted third-party repository of 
information objects or the second trusted third-party repository of information 
objects, the trusted third-party repository of information objects having the 
transfer of ownership documentation validates authenticity of the transfer of 
ownership documentation by verifying all digital signatures, certificate validity 
periods, and using the CSS to check certificate status of all authentication 
certificates included in the transfer of ownership documentation, appends a 
date and time indication, and digitally signs, wraps and stores the transfer of 
ownership documentation, which are added to the manifest. 

32. (Withdrawn) The method of claim 19, wherein certificate status 
is indicated to the CSS by a Certificate Revocation List ("CRL"), according to 
a publication schedule of the issuing CA, the CSS retrieves the CRL from a 
certificate status reporting component listed in the configuration store, the 
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CSS clears a cache memory associated with the issuing CA, and the CSS 
determines the status of the authentication certificate from the CRL and stores 
the status in the cache memory associated with the issuing CA. 

33. (Withdrawn) The method of claim 19, wherein certificate status 
is indicated to the CSS by a Delta Certificate Revocation List ("ACRL"); upon 
notification by the issuing CA that a ACRL is available, the CSS retrieves the 
ACRL from a certificate status reporting component listed in the configuration 
store; if the ACRL is a complete CRL, then the CSS clears a cache memory 
associated with the issuing CA, determines the status from the CRL, and 
stores the status in the cache memory; and if the ACRL contains only 
changes occurring after publication of a full CRL, the CSS determines the 
status from the ACRL, and stores the status in the cache memory. 

34. (Currently Amended) The method of claim [[5]] 18, wherein a 
background low priority garbag e co lle ct i on ut il ity cleanup process removes all 
stale cache entries as required when new CRLs or ACRLs are retrieved, one 
of the thresholds is exceeded, or freeing up of cache is required, where the 
t i mo to live data ele m e nt e xc ee ds current l oca l time and/or may initiat e a 
status updat e i f estab li sh e d i s CSS po li cy. 

35. (Currently Amended) The method of claim 1 , wh e reby wherein 
any [[one]] CSS[[,]] can query anv other CSS for the certificate status if that 
CSS is designated in the configuration store as an approved certificate status 
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reporting component for the issuing CA. pr i mary, r e tr ie v e s o e rt i fioat e status 
from a CA, PK I , or oert i fioate status s e rvor and any other CSS, des i gnatod 
s e condary, qu e r ie s th e pr i mary CSS for c e rt i f i oat e status. 
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